Cyber Security Act (CSA)/en
Amendment by{{Infobox
Legal Act
(EU)|Type=Regulation|Year=2025|Number=37|Treaty=EU|EEA=yes|Title=Regulation
(EU) 2025/37 of the European Parliament and of the Council of 19 December 2024 amending Regulation (EU) 2019/881 as regards managed security services|Short title=Cyber Security Act/Cybersecurity Act|Designation=CSA|Legal area=Internal Market, Cybersecurity|Basis=TFEU, in particular
Art. 114|Reference=OJ L 2025/37, 1|Applicable=February
4, 2025|Valid=applicable}}
Original Act
 Verordnung (EU) 2019/881 | |
|---|---|
| Titel: | Verordnung (EU) 2019/881 des Europäischen Parlaments und des Rates vom 17. April 2019 über die ENISA (Agentur der Europäischen Union für Cybersicherheit) und über die Zertifizierung der Cybersicherheit von Informations- und Kommunikationstechnik und zur Aufhebung der Verordnung (EU) Nr. 526/2013 |
| Kurztitel: | Cyber Security Act/Rechtsakt zur Cybersicherheit |
| Bezeichnung: (nicht amtlich) |
CSA |
| Geltungsbereich: | EWR |
| Rechtsmaterie: | Binnenmarkt, Cybersicherheit |
| Grundlage: | AEUV, insbesondere Art. 114 |
| Volltext | Konsolidierte Fassung (nicht amtlich) Grundfassung |
| Hinweis zur geltenden Fassung von Rechtsakten der Europäischen Union | |
Introduction
Regulation (EU) 2019/881 (Cybersecurity Act or CSA), which entered into force in June 2019, pursued two main objectives: Firstly, it strengthened the position of the EU Agency for Cybersecurity (ENISA) by granting it a permanent mandate and expanding its tasks and resources. Secondly, it introduced an EU-wide cybersecurity certification framework to establish uniform standards for ICT products, services, and processes across the EU.
The 2025 amendment to the Cyber Security Act[1], which enters into force on February 4, 2025, builds on the original regulation and introduces several innovations.
Core Content
Role and Competences of the European Union Agency for Network and Information Security (ENISA): (Articles 4-45 CSA):
ENISA receives a permanent mandate as a competence center for cybersecurity in the EU.
Its tasks now include advising, supporting, and promoting EU cybersecurity policy. It shall issue opinions, publish guidelines, and provide advice on topics such as risk management and reporting of security incidents. Development and management of the European framework for cybersecurity certification of ICT products, services, and processes.
Introduction of an EU-wide certification system (Articles 46-65 CSA)
The second core area is the creation of a uniform cybersecurity certification framework:
An EU-wide certification system for information and communication technology products, services, and processes will be introduced. ENISA is responsible for establishing and maintaining this certification framework. The system sets uniform requirements and assessment criteria for cybersecurity across the EU. Certificates attest to the fulfillment of certain security requirements and classify trustworthiness as "low," "substantial," or "high."
European Union Cybersecurity Certification Scheme for ICT Products (EU CC Scheme)
In January 2024, the European Commission adopted the Implementing Regulation for the EU Cybersecurity Certification Scheme based on Common Criteria (EUCC),[2] which is based on the SOG-IS scheme. The EUCC system is voluntary and allows ICT providers who wish to demonstrate reliability to undergo an EU-wide uniform assessment procedure to certify ICT products such as technological components (chips, smartcards), hardware, and software. It proposes two security levels based on the risk associated with the intended use of the product, service, or process, in terms of the likelihood and impact of an accident. The EUCC is thus the first European certification scheme and will enter into force on February 27, 2025.[3]
ENISA is currently working on two further cybersecurity certification schemes, EUCS for cloud services and EU5G for 5G security.
2025 Amendment: Cybersecurity Certification for "Managed Security Services"[4] [5]
The proposal introduces a definition of "managed security services" which is based on the definition of "providers of managed security services" in the NIS 2 Directive. Managed security services are services that consist of carrying out or supporting activities related to their customers' cybersecurity risk management (Art. 1 Para 2 CSA-N). Furthermore, a new Article 51a is inserted on the security objectives of European cybersecurity certification schemes tailored to managed security services. On this basis, the EU Commission can adopt a delegated act for a certification scheme for managed security services.
Penalties/Other Consequences
Art 65 CSA urges Member States to enact effective, proportionate, and deterrent sanctions for violations of EU cybersecurity schemes.
Synergies
CSA
The CSA aims to create uniform framework conditions for cybersecurity certification in the EU by establishing voluntary certification schemes. These serve to strengthen trust in digital products, services, and processes. The EU Agency for Cybersecurity (ENISA) plays a central role in the development of these schemes.
CRA
The CRA sets cybersecurity requirements for products with digital elements to ensure a minimum level of security across the EU. Certain products must undergo mandatory certification.
Existing CSA certification schemes can be used in certain areas to prove compliance with CRA requirements.
Sources
- ↑ https://eur-lex.europa.eu/eli/reg/2025/37/oj
- ↑ https://eur-lex.europa.eu/eli/reg_impl/2024/482/oj
- ↑ https://www.bundeskanzleramt.gv.at/themen/cybersicherheit/nationale-behoerde-fuer-cybersicherheitszertifizierung/common-criteria-eucc.html
- ↑ https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:52023PC0208
- ↑ https://www.consilium.europa.eu/en/press/press-releases/2024/12/02/cybersecurity-package-council-adopts-new-laws-to-strengthen-cybersecurity-capacities-in-the-eu/pdf/
